On Fri, Oct 09, 2015 at 08:39:10AM -0400, Rob Crittenden wrote: > Jan Orel wrote: > > Hello, > > > > this patch removes (IMHO) redundat check in cert_show, which fails when > > host tries to re-submit certificate of different host/service which he > > can manage. > > > > I also reported the bug here: > > https://bugzilla.redhat.com/show_bug.cgi?id=1269089 > > > > I tired to run the tests as well and it doesn't seem to break anything. > > Any feedpack appriciated. > > This works around the "Retrieve Certificates from the CA" ACL when done > as a host. > > I guess if the hostname isn't the subject then the host for the subject > needs to be read and then look to see if hostname is in the managed_by list. > > rob > Agreed. The corresponding checks for certificate issuance via cert-request, where the bind principal is a host, check that the subject host (and SAN dNSNames) is "managed by" the bind host. This is checked via `ldap.can_write(dn_of_subject_principal)'.
1. retrieve cert 2. read CN 3. ensure CN refers to a known host principal and call ldap.can_write(...) to ensure bind principal manages it. Cheers, Fraser > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code